Ashley Madison Hack

In July of 2015 employees at Avid Life Media (ALM), the owners of Ashley Madison (the hookup site for cheaters) and Established Men (a “sugar daddy” dating site) logged into their computers greeted with a warning message saying that unless the company shut down Ashley Madison and Established Men they would release PII user information into the public. The message was accompanied by the song “Thunderstruck” by AC/DC.

On July 19, 2015, The Impact Team–the hacking group responsible for the intrusion– gave an ultimatum that ALM had 30 days to shut down their websites or the data would be released.

What motivated the threat? The group said it was upset that ALM offered a service that allowed users to delete their accounts if they paid $20 but in truth the data wasn’t being deleted, rather it was just being hidden.

On August 18, 2015, in a Pastebin post titled “TIME’S UP” The Impact Team released 10GB of PII–physical addresses, email addresses, credit card numbers and user sexual preferences– of some of their more than 20 million users.

On August 20, 2015 another 20GB of internal company data was released, which included source code for Ashley Madison and internal emails from ALM CEO Noel Biderman.

In a Q&A with Motherboard The Impact Team claimed that the hack was “easy” and as for security, “Bad. Nobody was watching. No security.” They also claimed to have hacked into their systems and gained access years earlier.

Later on, security researcher Gabor Szathmari discovered within Ashley Madison’s source code were hardcoded security credentials including “database passwords, API secrets, authentication tokens and SSL private keys.” A giant no-no. Another group called CynoSure Prime discovered that due to poor encryption policies on passwords–many passwords still used MD5 hashing a highly vulnerable protocol–they were able to crack over 11 million passwords in 10 days.

On August 23, 2015 a third round of dumps took place, which included a list of government email addresses used to sign up for the service.

What ensued were reports of blackmail attempts and identity theft of the users and eventually multi-million dollar class action law suits against the company, resignations, more dumps and recriminations from all sides.

It was later discovered by Annalee Newitz, editor-in-chief of Gizmodo, that less than 1% of the female users used their accounts more than once. That along with the fact that thousands of accounts were created by the same IP address suggested that there were many many fake accounts used to lure men to the site. Newitz later changed her conclusion to inconclusive.

Interesting Facts:

Within days of the dump, websites appeared where users could see if their email address was part of the breach.

“123456” and “password” were the most popular passwords for for Ashley Madison users.

In August 2015 Toronto police announced two suicides were linked to the release of the user data. More suicides were said to follow.